Published online: 27 March 2019#

Higher Education (2019) 78:911–930

The New Silk Road: a bumpy ride for Sino-Europeancollaborative research under the GDPR?

Stijn van Deursen1,2 & Henk Kummeling1

The Author(s) 2019

AbstractThe Chinese New Silk Road initiative offers unique opportunities for setting up Sino-Europeanresearch collaborations. Academic cooperation between countries that are rooted in completelydifferent legal, cultural, and academic backgrounds might however also create new challenges.This article investigates the impact of these differences in the field of the protection of personaldata, which is a topic that is currently high on the EU’s agenda. Whereas the protection ofpersonal data is engrained in the European Union’s legal framework, this is not the case in China.This might be problematic, given the fact that scientific collaboration often entails the exchangeof (sensitive) personal data. We explore to what extent the General Data Protection Regulationstill allows the transfer of such data for scientific purposes to China. After having analyzed theChinese system in light of the European legislation, we conclude that the sharing of personal datawith China is challenging at a minimum. Until more stable legal arrangements are set up in orderto facilitate such practices, it is important to share only anonymized data or to acquire consent ofthe data subject.

Keywords Research collaboration . Personal data . GDPR . China . EuropeanUnion

A New Silk Road through the dynamic field of international researchcollaboration

The world of international collaborative research is rapidly changing: recent events such as Brexitand the US turning its back to international cooperation have led to a tendency to restrict free

https://doi.org/10.1007/s10734-019-00377-5

Stijn van Deursen is researcher at the Utrecht University School of Law and student of the Legal ResearchMasters. Henk Kummeling is Distinguished University Professor Constitutional Law and Rector of UtrechtUniversity. Both authors are researchers involved in the international New Silk Road research project. See formore information: www.academicsilkroad.org and www.uu.en/en/organisation/centre-for-global-challenges/projects/the-new-silk-road. Research for this contribution ended on 25 February 2019.

* Stijn van Deursens.vandeursen@uu.nl

1 Utrecht University, Utrecht, The Netherlands2 Utrecht University, Heidelberglaan 8, 3584 CS Utrecht, The Netherlands

flows of knowledge, ideas, and students (Hille 2018; Kirby and Van der Wende 2019). At thesame time, China has launched its New Silk Road initiative (also known as the One Belt OneRoad project, or Belt and Road Initiative). The New Silk Road initiative is aimed at a furtherintegration of China and countries in, among others, Europe, Asia, and Africa. Although theinitiative is to a large extent aimed at establishing traditional infrastructure, such as bridges andrailways, it also seeks to strengthen digital connections (see, for example, Economist 2018; Deeks2018). These developments have the potential to integrate major parts of the world, but it is notentirely clear under what conditions this will take place and who will define these conditions (seealso Kirby and Van der Wende 2019).

There are several reasons to assume that the New Silk Road will influence both higher educationand research in Europe and beyond, as also identified by, among others, Kirby and Van der Wende(2019, p. 129) First of all, just like the ancient silk road, the New Silk Road and its digitalinfrastructures will not only carry goods and persons but also knowledge and ideas. Secondly,Kirby and Van derWende describe the rise of China as a global power as one of the most importantgeopolitical trends of the early twenty-first century. Just like previous major geopolitical events—such as the Second World War, the creation of the EU, and the fall of the Berlin wall—had aconsiderable impact on higher education and research, it seems likely that the New Silk Road willimpact the world of higher education and research. Finally, the Chinese system of research anddevelopment is rapidly advancing (see for recent developments of the GDP spending on R&D inChina in comparison to the EU and the USA: OECD 2019a, and for such data for R&D intensity:OECD 2019b; Economist 2019b; Van der Wende and Tijssen 2019). Such developments mightinfluence both China’s regional partners, but also its global competitors (Kirby and Van derWende 2019, p. 129). Moreover, alongside the New Silk Road, several projects are set up whichare specifically aimed at fostering academic collaboration, such as theUniversityAlliance of the SilkRoad and the Belt and Road Platform to Promote Innovation. At the same time, collaborativeresearch with China is one of the priorities in the international research agenda at both EuropeanUnion level aswell as in the EuropeanMember States (see, for example, the agreement for scientificand technological cooperation between the European Community and the Government of thePeople’s Republic of China; The EU-China 2020 Strategic Agenda for Cooperation; EUDelegationto China and Mongolia 2014; D’Hooge et al. 2018, pp. 13–14). Although Chinese universities arethus flourishing in many ways and cooperation can therefore create unique academic opportunities,there are also challenges connected to collaborative research between institutions in countries thatare rooted in different cultural, legal, and academic backgrounds (Kirby andVan derWende 2018, p.128). The New Silk Road might therefore also provide a bumpy ride. The international New SilkRoad research project, in which both authors are involved as researchers, investigates China’s rise inglobal higher education and its possible implications for higher education and research cooperationbetween China and Europe.1 It does so in four main areas of inquiry: the trends in academic trafficon the New Silk Road; the response of the higher education institutions to new opportunities; theconditions under which these activities can take place and finally the values that underpin the idea ofthe university and its role in international collaboration.

In this contribution, we enter the third area of inquiry by focusing on the question of to whatextent the current European conditions on protecting and sharing personal data allow fortransferring such data to China in the context of collaborative research. This is an importantquestion because, as also mentioned by European Data Protection Supervisor Giovanni

1 www.academicsilkroad.org and www.uu.en/en/organisation/centre-for-global-challenges/projects/the-new-silk-road. The project will be concluded with an international conference in Germany in May 2020.

912 Higher Education (2019) 78:911–930

Buttarelli in his 2016 speech, data can be seen as the fuel and catalyst of innovative research:sharing data with research partners is a pledge of trust and a sign of mutual confidence andrespect, and can lead to new and innovative results (Buttarelli 2016). Thereby, data have thepotential to save lives (DG Internal Policies 2016). At the same time, unregulated use of datarelating to individuals can have considerable negative impacts for these individuals, such asidentity theft or discrimination. In the European Union, these risks are mitigated by thefundamental right to the protection of personal data, which forms part of the Europeanconstitutional fabric. The right to the protection of personal data is operationalized in theGeneral Data Protection Regulation (GDPR). In China, however, such a right does not seem tobe explicitly incorporated in the legal system. Such differences should, however, in our viewnot lead to a direct rejection of all cooperation with China. The answer to the question of howmuch cooperation is possible should rather be based on a clear strategy and an assessment ofthe risks, challenges, and benefits that are involved (see also D’Hooge et al. 2018, iv;Economist 2019a). In this contribution, we explore this balance between scientific develop-ment and the protection of individual’s personal data.

In order to answer the question of to what extent the current European framework allowsfor a transfer of personal data to China for scientific purposes, this contribution firstly providesa short introduction into the GDPR, its place in the legal landscape of the European Union, andits regime with regard to personal data gathered in research situations (BThe GDPR’s conse-quences for collaborative research^). Then the focus shifts to a description of the GDPR’sapproach with regard to the transfer of personal data to third countries (BThe GDPR’s regimefor third country transfers of personal data for scientific purposes^). In the following section, abrief comparative glance at the Chinese data protection regime is provided. The BFuturedirections for transporting personal data over the New Silk Road^ section subsequentlyaddresses the potential obstacles arising out of the different approaches of both the EU andChina with regard to the protection of personal data in the context of scientific research andprovides further directions for sharing such data with China. Because of our focus on activitiesfalling within the scope of the GDPR, we do not focus on the flow of personal data fromChinese entities or data regarding Chinese citizens to the EU, although this might also poseinteresting and fundamental legal and ethical challenges.

The GDPR’s consequences for collaborative research

Many types of scientific research concern information that can either directly or indirectly berelated to individuals. This might be both information on research subjects and information onresearchers themselves. In the Member States of the European Union, the protection of suchpersonal data is considered a fundamental right, which was first implicitly laid down in Art. 8of the European Convention of Human Rights (ECHR) and later more explicitly in Convention108 of the Council of Europe and in Art. 8 of the Charter of Fundamental Rights of theEuropean Union.2 Since 1995, this right was inter alia operationalized in Directive 95/46/EGon the protection of individuals with regard to the processing of personal data and on the free

2 Art. 8 ECHR provides that B[e]veryone has the right to respect for his private and family life, his home and hiscorrespondence.^ See for an overview of the role of this article in protection personal data also ECtHR 2018. Art.8 CFR explicitly lays down that B[e]veryone has the right to the protection of personal data concerning him orher.^ Convention 108 of the Council of Europe provides rules for the protection of individuals with regard to theautomatic processing of personal data.

913Higher Education (2019) 78:911–930

movement of such data (hereinafter, Data Protection Directive). This directive aimed to ensurethat personal data could flow freely from one European Member State to another, while at thesame time safeguarding the fundamental rights and freedoms of individuals (Art. 1 andRecitals 1–9, Data Protection Directive; Voigt and Von dem Bussche 2017, p. 2). To do so,the Data Protection Directive not only provided rules on the processing of personal data withinthe European Union but also for the transfer of such data to countries and internationalorganizations outside the European Union (Chapter IV, Data Protection Directive). However,a general characteristic of European directives is that they are only binding with regard to theirobjective and that they are not directly applicable in the European Member States (Art. 288(3)Treaty on the Functioning of the European Union). In order to reach their objective, directivestherefore have to be implemented in the national legal orders of the European Member States.The Member States are generally free to choose the specific means that they use in order to doso (Barnard and Peers 2014, p. 99). For the Data Protection Directive, this entailed that—although the (main) objective of ensuring a balance between the free flow of personal data andthe protection of fundamental rights was binding—it was left to the authorities of the EUMember States to choose the actual form and methods that were used in order to achieve thisobjective.3 The discretionary space that was left to Member States resulted in a patchwork ofnational approaches (Recital 9 GDPR; Voigt and Von dem Bussche 2017, p. 2; Handbook onEU Data Protection Law 2018, p. 30).

In 2010, the European Commission reviewed this European framework of data protectionand concluded that the Data Protection Directive could not live up to all of its objectives. Theplethora of approaches in the European Member States led to differences in Bassessing thelevel of adequacy of [safeguarding data protection rights in] third countries, or internationalorganisations, and involves the risk that the level of protection of data subjects provided for ina third country is judged differently from one Member State to another^ (EuropeanCommission 2010, p. 15). This unclarity with regard to the transfer of personal data tocountries outside of the European Union was one of the reasons that necessitated a new legalinstrument according to the Commission (European Commission 2010, p. 15).4

Because the objectives of the Directive were at the same time still considered to bevalid, the Commission stated that the identified challenges required Bthe EU to develop acomprehensive and coherent approach guaranteeing that the fundamental right to dataprotection for individuals is fully respected within the EU and beyond^ (EuropeanCommission 2010, p. 4). This desired comprehensive and coherent approach was madepossible by the adoption of new primary legislation, which came into force after theadoption of the Data Protection Directive in 1995 and provided the European legislatorwith a stronger legal basis in primary Union law.5

3 Art. 288(3) TFEU. The Data Protection Directive allowed for a certain margin for maneuver, which was also atissue in Case C-101/01 Lindqvist ECLI:EU:C:2003:596 [2003] (especially in para 97). In order to safeguardcoherence under the Data Protection Directive, the so-called Article 29 Working Party was set up as an advisorybody.4 For more on the evaluation of the framework on data protection under the Data Protection Directive, seeRobinson et al. (2009) and Recital 9 GDPR.5 The most important of which are Art. 16(2) TFEU and Art. 8 Charter of fundamental Rights of the EuropeanUnion. Art. 16(2) TFEU provides that BThe European Parliament and the Council, (…), shall lay down the rulesrelating to the protection of individuals with regard to the processing of personal data (…), and the rules relatingto the free movement of such data.^ Art. 8 CFR explicitly incorporates a fundamental right to the protection ofpersonal data into the legal order of the European Union.

914 Higher Education (2019) 78:911–930

After a lengthy legislative procedure, Regulation 2016/679 on the protection of naturalpersons with regard to the processing of personal data and on the free movement of such data(GDPR) was adopted in 2016. First of all, contrary to the Data Protection Directive, the GDPRis not a directive but a regulation which therefore has general application; it is binding in itsentirety and since 25 May 2018 directly applicable in all EU Member States. On specificpoints, the GDPR requires further national rules in order to ensure its full effectiveness. See,for example, of the use of this discretionary space by Member States in the field of researchalso paragraph 3.1 of this contribution. By this approach, the GDPR seeks to ensure aBconsistent and high level of protection of natural persons and to remove the obstacles toflows of personal data within the Union^ (Recital 10 GDPR). In order to do so, compared tothe Data Protection Directive, the GDPR is not only more focused at ensuring compliance byrequiring new compliance mechanisms but also introduces stronger rights and enforcementmeasures for data subjects.6

The GDPR is applicable to the processing of any data relating to natural persons if thistakes place by an entity that is established in the EU or in case these data relate to EUindividuals.7 Crucial terms with regard to the applicability of the GDPR are therefore that ofpersonal data and the processing thereof.

Personal data are any information that is or can be related to an identified or identifiableliving person: the data subject (Art. 4(1) GDPR). An identifiable natural person is subsequent-ly defined by the GDPR as Bone who can be identified, directly or indirectly, in particular byreference to an identifier such as a name, an identification number, location data, an onlineidentifier or to one or more factors specific to the physical, physiological, genetic, mental,economic, cultural or social identity of that natural person.^8 In case law of the Court of Justiceof the European Union, the concept of information has been interpreted broadly: it alsoincludes subjective matters such as opinions or assessments, which can be seen as reflectionsof an individual’s intellect, thought processes, and judgments.9 Moreover, the notion ofpersonal data also includes information which can be indirectly related to a natural person,for example, by using additional information, data sets, or Ball the means reasonably likely tobe used.^10 In order to determine whether certain means are reasonably likely to be used, allobjective factors should be taken into account. This includes factors such as costs, time, and

6 The GDPR, for example, introduces a stronger regime for compliance and accountability (Art. 24 GDPR), theprotection of privacy by design (Art. 25 GDPR), and new risk assessment methods (Art. 35 GDPR), and requirescertain entities to designate a Data Protection Officer (Art. 37 GDPR). New data subject rights include a right todata portability (Art. 20 GDPR), a right to be forgotten (Art. 17 GDPR; however, in case law of the CJEU, such aright was already recognized: Case C-131/12 Google Spain [2014]), and a right to damages in case of a breach ofdata protection obligations (Art. 82 GDPR).7 Art. 2–4 GDPR.8 Art. 4(1) GDPR.9 Case C-434/16 Peter Nowak ECLI:EU:C:2017:994 (2017) para 34 and 37. See also Art. 29 Working Party,BThe concept of personal data^ (Opinion 4/2007), 6. Under the GDPR, the Article 29Working Party is succeededby the European Data Protection Board (EDPB). Just like the Article 29 Working Party, the main task of theEDPB is to watch over the consistent application of the GDPR. In a number of endorsements, the EDPB hasconfirmed the work of the Article 29 Working Party that relates to the GDPR. The EDPB has not expressed itselfon other work of the Article 29 Working Party, such as on this opinion. However, under the GDPR, the definitionof personal data has not changed compared to the Data Protection Directive. Therefore, in our view, the Article29 Working Party’s opinion the concept of personal data is still valid.10 Recital 26 GDPR. See, for an example, of identifying natural persons by using statistical data:Narayanan and Shmatikov 2008 (using statistical data in order to identify individual Netflix users anduncover, e.g., their apparent political preferences and other potentially sensitive information); Voigt andVon dem Bussche 2017, p. 12.

915Higher Education (2019) 78:911–930

available technology at the time of processing as well as expected technological developments(Recital 26 GDPR). The concept of personal data is thus broad, which implies for scientificresearch that in case a study relates to information that can be linked to living individuals, theGDPR is applicable. The applicability of the GDPR to scientific research is also explicitlyconfirmed by Recital 159, which subsequently introduces the broad interpretation of suchresearch. This covers, for example, not only technological development and demonstration,fundamental research, applied research, and privately funded research but also studies con-ducted in the public interest in the area of public health, historical research, and research forgenealogical purposes. Here, it is important to stress that the GDPR is not applicable todeceased persons (Recitals 159–160).

Probably not surprising, the concept of processing is likewise broadly defined by the GDPRand includes not only any operation relating to personal data, such as collection, recording,organization, structuring, storage, adaptation or alteration, retrieval, dissemination or otherwisemaking available, but also erasure or destruction (Art. 4(2) GDPR). Seen in light of theaforementioned broad definition of personal data, this implies that virtually any use ofinformation on the basis of which a living natural person can be identified is covered by theGDPR. This therefore also includes almost all use of information relating to individuals inscientific contexts. It is, however, important to bear in mind that data that are anonymized—i.e., data that cannot be traced back to a natural person—do not fall within the scope of theGDPR. The relevance thereof is further discussed in the section focusing on the BProcessing ofpersonal data for research purposes under the GDPR^.

In case of collaborative research involving multiple research institutions, the GDPR isfirstly applicable if one of the research institutions involved in the transfer of personal data isestablished in the European Union.11 Secondly, the GDPR applies as well in case the researchinstitution is established outside of the European Union while the processed data relate to datasubjects that are in the European Union, or if the data relate to the behavior of data subjectswithin the European Union (Art. 3 GDPR).

The GDPR’s regime for third country transfers of personal datafor scientific purposes

The transfer of personal data to China, a country that is not part of the European Union, has tocomply with the regime laid down in Art. 44 GDPR and further. This basically requires that thelevel of protection that is offered to personal data in the European Union may not beundermined by the transfer of such data.

The assessment of a transfer of personal data to either an international organization or to athird country exists of two stages. First of all, a transfer is a form of processing and thereforehas to comply with the requirements for processing of the GDPR. This step therefore concernsthe transferring process. Secondly, the transfer should be surrounded with sufficient

11 This presupposes that the university is able to determine the purposes and means of the processing of personaldata and therefore qualifies either as controller or as joint-controller (Art. 4(7) and Art. 26 GDPR). In mostsituations, this will indeed be the case. According to the Article 29 Working Party, in order to provide datasubjects with a more stable and reliable entity for the enforcement of their rights, preference should be given toconsider a company as controller, rather than a specific person within that company (Article 29 Data ProtectionWorking Party 2010, p. 15). In most cases, the institution for which an individual researcher is working willtherefore qualify as controller.

916 Higher Education (2019) 78:911–930

safeguards in order to make sure that the international organization or third country in questionprovides an adequate level of protection. Hence, this step focuses on the situation in therecipient third country.

Processing of personal data for research purposes under the GDPR

Under the GDPR’s broad definition of processing, the transfer of personal data for scientificpurposes is regarded as a form of processing that should therefore comply with the substantivenorms of the GDPR.12 This means that all processing of any type of personal data should bedone in accordance with the data processing principles of the GDPR. The GDPR applies astricter regime for the processing of special categories of personal data, which is informationrevealing Bracial or ethnic origin, political opinions, religious or philosophical beliefs, or tradeunion membership, (…) genetic data, biometric data for the purpose of uniquely identifying anatural person, data concerning health or data concerning a natural person’s sex life or sexualorientation^ (Art. 9(1) GDPR). The processing of such data, which is not unlikely in thecontext of scientific research collaboration, is in principle prohibited. Think, for example, ofsuch practices of research concerning biomedical or genetic data, but also of sociologicalresearch relating to political opinions, trade union memberships, or religious affiliations whichcan, either directly or indirectly, be traced back to specific individuals. Exceptions to theprohibition of the processing of specific categories of personal data are listed in Art. 9(2)GDPR. One of these exceptions has to apply in addition to the data processing principles forthe processing of this type of data to be legitimate.

The processing of all personal data, so therefore including special categories of personaldata, should be done in accordance with all the data processing principles of Art. 5 GDPR. Inthe following, we briefly address these principles and their relevance for the processing ofpersonal data for research purposes. In case the processing of personal data cannot be done inaccordance with the GDPR data processing principles, processing of such data is not allowedand the information will have to be anonymized. See for a detailed analysis of the requirementsfor anonymization the Article 29 Working Party opinion on anonymization techniques(2014).13

First of all, the processing of personal data should be done in accordance with the principlesof lawfulness, fairness, and transparency (Art. 5(1)(a) GDPR; Handbook on European dataprotection law 2018, pp. 117–122). Under the principle of lawfulness, processing of personaldata for research purposes can be based on consent of the data subject. Consent should begiven freely, which means that it should be based on genuine or free choice and that one shouldbe able to refuse or withdraw consent without detriment (Recital 42 GDPR). It is thereforeimportant to make sure that there are no other reasons for the data subject to consent, such aspotential access to experimental medicine related to participation in a research.14 Furthermore,

12 A useful schematic overview of these requirements for research purposes can be found via https://www.eur.en/sites/corporate/files/2017-11/How_to_treat_personal_data_in_research_1.0.pdf (accessed 25 February 2019).13 On the validity of the opinions of the Article 29 Working Party under the GDPR, see also footnote 10.14 In case of clinical trials, consent should according to Recital 161 GDPR also comply with the regulation onclinical trials on medicinal products for human use (Regulation (EU) No 536/2014), defining informed consent asBa subject’s free and voluntary expression of his or her willingness to participate in a particular clinical trial, afterhaving been informed of all aspects of the clinical trial that are relevant to the subject’s decision to participate or,in case of minors and of incapacitated subjects, an authorisation or agreement from their legally designatedrepresentative to include them in the clinical trial.^

917Higher Education (2019) 78:911–930

consent should be informed, unambiguous, and specific. However, when data are processedfor research purposes, it is often hard to define the exact research purposes on beforehand. TheGDPR therefore also allows for consent to a research in accordance with recognized ethicalstandards for scientific research (Recital 33 GDPR. Consider, e.g., The European Code ofConduct for Research Integrity). For the transfer of personal data to a third country, thistherefore entails that the relevant ethical standards should also be upheld in the country inquestion. Finally, there are some practical issues connected to the processing of personal datafor research purposes on the basis of consent under the GDPR. Science Europe has, forexample, made clear that for some research purposes, it may be hard or even impossible toacquire consent, such as in observational research studies where the sample size can be verylarge (Science Europe 2016). Moreover, a data subject has the right to withdraw his or herconsent on the basis of Art. 7(3) GDPR, which can make this a rather unstable ground forprocessing. Higher thresholds apply for the processing of special categories of personal data.For the processing of special categories of personal data, Art. 9(2) (a) GDPR provides thatnormal consent does not suffice, but that on top of the aforementioned requirements, explicitconsent is required.

The processing of personal data for research purposes is also possible on the basis of Art.6(1)(f) GDPR. Under this article, personal data may be processed in case this is necessary forthe purposes of the legitimate interests pursued by the research institution or by a third party.These interests should however be balanced against the interests or fundamental rights andfreedoms of the data subject. Art. 6(1)(f) GDPR offers additional protection to children; theprocessing of their personal data therefore seems to be less viable on the basis of this balancingact. A similar balance of interests with regard to the processing of special categories ofpersonal data for research purposes can be found in Art. 9(2)(j) GDPR, although the stakesin this balancing act are higher. Under this article, processing is allowed in case there is a basisfor doing so in Member State law and if the processing is necessary for research purposes,while the essence of the right to data protection is respected and in case specific measures aretaken to safeguard the fundamental rights and interests of the data subject (see also Art. 89(1)GDPR). These measures may include the use of pseudonymization when possible andanonymization of the data as soon as it is not necessary anymore to identify the data subject.15

The legal basis in Dutch law, for example, provides that processing of special categories ofpersonal data for scientific purposes is possible in case the research serves a public interest andif it is impossible or would require a disproportionate effort to request consent while safe-guards are in place to make sure that the data subject’s privacy would not be disproportionatelyjeopardized (Art. 24 Implementing Act GDPR). Germany applies a similar regime, byproviding that the processing of special categories of personal data is also possible withoutconsent, if this is necessary for the purposes and interests of the research institution as long asthese purposes and interests outweigh the purposes and interests of the data subject (Art. 27

15 There is a difference between pseudonimyzation and anonymization. Anonymized data cannot be traced backto an individual person and therefore falls outside the scope of the GDPR. Art. 4(5) GDPR definespseudonymization as Bthe processing of personal data in such a manner that the personal data can no longerbe attributed to a specific data subject without the use of additional information, provided that such additionalinformation is kept separately and is subject to technical and organizational measures to ensure that the personaldata are not attributed to an identified or identifiable natural person.^ Pseudonymization, however, is onlyconsidered to be a safety measure, existing in, e.g., the coding of names, and therefore the GDPR remainsapplicable. In this way, pseudonymization is a way to comply with the data protection obligations under theGDPR.

918 Higher Education (2019) 78:911–930

Federal Data Protection Act). Germany thereby does not explicitly require that the researchserves a public interest, and thereby seems to be more lenient with regard to personal dataprocessing for research purposes.16 The different regimes that European Member States mayapply with regard to processing of personal data for research purposes may prove to be anobstacle for international research cooperation, as is also pointed out by, among others, theLeague of European Research Universities (Nicholson 2018).

The principle of fairness requires that the data subject is informed of the risks connected tothe processing of his or her personal data, in order to make sure that the processing does nothave unforeseeable negative effects. The principle of transparency furthermore requires thatdata subjects are informed of the processing of their data, the purposes of such processing, andthe identity and address of the institution that is responsible for the processing. This informa-tion must be provided in a clear way, so that data subjects are able to understand the (legal)context in which their data are being processed. Visualization should be used when appropri-ate, for example, by using a website informing the data subject on the aforementioned factor.Lastly, data subjects should be able to access their data, although Member State law may understrict conditions provide for derogations to this right in the context of scientific research (Art.15 and 89(2) GDPR).

Secondly, the principle of purpose limitation requires that the purposes of the processing ofpersonal data are defined in advance and that the processing may not go further than thesepredefined purposes (Art. 5(1)(b) GDPR). Also on this point, the GDPR provides a specificderogation for the further processing of personal data for research purposes in this article.Under this exception, further processing of such data for research purposes is possible,provided that safeguards for the rights and freedoms of the data subject are applicable to makesure that no more than necessary data are being processed. This may necessitatepseudonymization and anonymization as soon as possible (Handbook on European dataprotection law 2018, 122–125). This means that in case personal data are collected for goalA, their processing may not go further than is necessary for reaching goal A. During scientificresearch, however, it may become clear that the data may also be relevant for reaching goal B.If sufficient safeguards are in place, the data may in principle in that case also be processed forgoal B.

This brings us to the principle of data minimization, which is the third data processingprinciple (Art. 5(1) (c) GDPR). Under this principle, the processing of personal data may notgo further than what is necessary for the legitimate purpose and may only take place if thereare no other means to meet the same objective. This principle thereby may also lead to theconclusion that pseudonymization or other protecting measures are necessary (Handbook onEuropean data protection law 2018, pp. 125–127).

Under the fourth data processing principle, data must be accurate and, where necessary,kept up to date (Art. 5(1) (d) GDPR; Handbook on European data protection law 2018, pp.127–128). This principle must be implemented in line with the purposes of the processing ofthe personal data. Sometimes, a research can only build upon data that reflect the state ofaffairs at a certain moment in time. Updating is then not required. Here again, it depends on thelegislation of a specific Member State to what extent a data subject can actually exercise their

16 For an updated overview of GDPR implementation acts in place in the different Member States, see alsohttps://uk.practicallaw.thomsonreuters.com/w-013-1949?transitionType=Default&contextData=(sc.Default)&firstPage=true&comp=pluk (accessed 25 February 2019).

919Higher Education (2019) 78:911–930

related right to rectification if his or her data are used for scientific research purposes (Art.89(3) in connection with Art. 16 GDPR).

According to the principle of storage limitation, as laid down in Art. 5(1)(e) GDPR, datamust be kept in a form that does not permit the identification of an individual for a longerperiod than necessary for the purposes of data processing, meaning that the personal data haveto be deleted or anonymized as soon as possible. Data that are being processed for researchpurposes may be stored for a longer period, if appropriate technical and organizationalmeasures have been taken for safeguarding the rights and freedoms of the data subject duringthis extended storing period. Under Recital 39 GDPR, this requires a periodic review in orderto determine whether the data have to be erased (Handbook on European data protection law2018, pp. 129–130).

Finally, the principles of integrity and confidentiality provide that measures have to betaken in order to prevent unauthorized or unlawful processing and accidental loss, destruction,or damage (Art. 5(1)(f) GDPR; Handbook on European data protection law 2018, pp. 131–134). In order to do so, research institutions should as much as possible make use of privacy bydesign and by default, meaning that security measures should be integrated in the processingprocedure (Art. 25 GDPR). Categories of data of which the breach of security measures mighthave considerable impact on the rights and freedoms of individuals, such as special categoriesof personal data, may require more protection (see also Art. 32 GDPR). Relevant factors in thisregard are among others whether the processing of the data might give rise to discrimination,identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality ofpersonal data protected by professional secrecy, unauthorized reversal of pseudonymization,or any other significant economic or social disadvantage (Recital 75 GDPR). Similarly, theprocessing of special categories of personal data requires more protection, which is alsosubstantiated in the GDPR: processing of such data on a large scale requires a data protectionimpact assessment to be made (Art. 35(3)(b) GDPR) and in some cases also the designation ofa data protection officer on the basis of Art. 37(1)(c) GDPR. The data protection officer has thetask to inform and advise the institutions involved in the processing of personal data on theirobligations under the GDPR and to coordinate compliance (see further Art. 39 GDPR).

Ensuring a sufficient level of protection

After having determined whether there is a ground for a transfer of personal data to a countryoutside the EU, the next question is whether the European level of protection of personal datais not undermined by that particular transfer (Art. 44 GDPR; European Commission 2017).

The GDPR contains several possibilities for safeguarding the GDPR’s level of protection incase of personal data transfers to third countries. Firstly, a transfer of personal data can takeplace on the basis of a decision of the European Commission in which it is decided that thethird country in question ensures an adequate level of protection (for more on this so-calledadequacy decision, see Art. 45 GDPR).17 When assessing a third country’s adequacy ofprotection, the Commission has to take the complete legal system of the country in questioninto account, therefore, including elements such as the respect for the rule of law, human rightsnorms, access to justice, the existence and effectiveness of an independent data protection

17 See also https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en for a more detailed description of the procedure for granting an adequacydecision and for a list of countries for which the EU has taken an adequacy decision (accessed 25 February 2019).

920 Higher Education (2019) 78:911–930

authority, and the international commitments the third party has entered into (Art. 45(2) GDPRand, related, Recitals 103–107). In its 2015 decision in the case of Maximilian Schrems, theCourt of Justice of the European Union further elaborated on the concept of adequacy andestablishes additional standards that have to be met in order to grant an adequacy decision.18

According to this decision, the third country in question does not have to ensure a level ofprotection that is identical to that of the EU. The third country must, however, ensure that itslaws and standards offer a level of protection of fundamental rights and freedoms that isessentially equivalent to the level of protection offered within the EU under the Data ProtectionDirective (now the GDPR), seen in light of the European Charter of Fundamental Rights. Thislevel of protection should also be applicable to the public authorities of the third country, andthe applicable legislation should offer an individual the opportunity to apply legal remedies foraccess to and correction of personal data.

Secondly, if no adequacy decision has been taken, a transfer of personal data is possible onthe basis of Art. 46 GDPR. Under this article, a transfer is still possible if appropriatesafeguards are provided, and on condition that enforceable rights and effective legal remediesfor data subjects are available. Such safeguards include legally binding and enforceableinstruments between public authorities or bodies, binding corporate rules, or standard contrac-tual clauses between the different parties that are approved by the national supervisoryauthority (see further Art. 46(2) and (3) GDPR).

In case no adequacy decision has been taken and appropriate safeguards are absent, Art. 49GDPR provides that a transfer of personal data to a third country is still possible in specificcases, for example, when the data subject has explicitly consented with such a transfer or whenthe transfer is necessary for protecting the vital interests of the data subject, where the datasubject is physically or legally incapable of giving consent.

The European Commission has not taken an adequate decision with regard to China, and onthe basis of our information, no procedure for granting such a decision is currently pendingbefore the European Commission.19 It therefore has to be determined whether a transfer ispossible on the basis of either Art. 46 or 49 GDPR. In order to do so, we provide a briefcomparative glance at the Chinese data protection regime in the following section. Inthe section on BFuture directions for transporting personal data over the New Silk Road^,we analyze the consequences of the Chinese approach for the transfer of personal data from theEuropean Union to China through the lens of the GDPR.

A brief comparative glance at the Chinese regime for data protection

Before providing a comparative glance at the Chinese regime with regard to the protection ofpersonal data, it is important to note that the assessment of the level of protection offered by adata protection regime in a third country cannot be sufficiently conducted within the limits ofthis contribution (see also, in this regard, Greenleaf 2017b, p. 3). This is especially the case forthe Chinese system, which is rooted in a completely different cultural and legal tradition,thereby further complicating any comparison (De Hert and Papakonstantinou 2015, p. 7).

18 Case C-362/14 Maximillian Schrems v Data Protection Commissioner and Digital Rights Ireland LtdECLI:EU:C:2015:650 [2015].19 For the latest update, see also https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en (accessed 25 February 2019).

921Higher Education (2019) 78:911–930

Therefore, in this section, we do not aim to provide a complete or exhaustive overview of theChinese legal system with regard to the protection of personal data. Instead, we paint its maincharacteristics with a broad brush, by looking through the lens of the GDPR which wasintroduced in the foregoing sections. Through this approach, we aim to avoid making anynormative statements, as we use the GDPR in order to identify possible challenges fortransferring personal data to China in collaborative research. As already stated, when analyzingthe potential for a transfer of personal data, other circumstances surrounding that transfershould also be taken into account. This section therefore also touches upon broader topics,such as the rule of law and the (legal) position of the individual.

In 2015, a review of the Chinese approach towards the protection of personal data has beenconducted by De Hert and Papakonstantinou. They concluded that from the perspective of theEuropean Data Protection Directive (the predecessor of the GDPR), one cannot speak of aproper data protection regime in China. On the one hand, the European regime of dataprotection has a basis in fundamental rights and is therefore broadly applicable and protectsall individuals. On the other hand, the Chinese approach is based on a multitude of provisionswhich are mostly of instrumental importance for the development of specific sectors—such ase-commerce or public security—or focus on individuals in a specific capacity, such as that ofconsumer (De Hert and Papakonstantinou 2015, p. 14). In this section, we also take intoaccount the recent developments in the Chinese approach towards the protection of personaldata in order to find out to what extent De Hert and Papakonstantinou’s conclusions still holdtrue.

A right to the protection of privacy is contained in Chinese basic law. However, thisright is mostly interpreted as a right to dignity, and therefore as not including a right toprivacy in the European sense or the GDPR’s right to the protection of personal data(Hert and Papakonstantinou 2015, p. 14; Chen et al. 2015, p. 728).20 Moreover, this rightis generally viewed as not justiciable, meaning that it cannot be invoked before a courtand therefore leaving the individual potentially empty-handed (De Hert andPapakonstantinou 2015, p. 16; Greenleaf 2014, p. 196). Protection of personal data ishowever also offered in several provisions in both penal law and civil law, via inter aliaArt. 286(1) Criminal Law and several provisions of the 1986 General Principles of theCivil Law and the subsequent 2009 Tort Liability Law. For a more detailed discussion ofthis legislation, see Ning and Wu (2018, sect. 1.2), Livingston and Greenleaf (2015), andGreenleaf (2017, p. 19; 2017a, p. 9). The aforementioned legislation is still ratherambiguous, as it only provides that personal data have to be protected, but not what thisexactly entails and how this should be done. The 2012 Decision on Strengthening InternetInformation Protection of the Standing Committee of the National People’s Congressfurther clarifies this for network service providers, by laying down that if network serviceproviders collect or use citizens’ individual electronic information, they have to complywith the principles of legality, legitimacy, and necessity and have to indicate the objective,methods, and scope for collection and use of information (De Hert and Papakonstantinou2015, pp. 19–20). In the following articles of the Standing Committee of the NationalPeople’s Congress decision, issues such as confidentiality, security, and the rights torequest data controllers to delete information, to cease possible infringements or to reportto the controlling departments, are introduced. Similar developments can be seen in

20 For more on the distinction between privacy and data protection from a European perspective, see Kokott andSobotta (2013).

922 Higher Education (2019) 78:911–930

sector-specific lower level rules, providing data protection requirements for, e.g., banks,medical institutions, and the telecommunication sector (De Hert and Papakonstantinou2015, pp. 20–21; Ning and Wu 2018, sect. 1.2).

The protection of personal data in the digital sphere is further strengthened by the CyberSecurity Law, which entered into force on 1 June 2017. This law of the Standing Committee ofthe National People’s Congress adds clearer definitions of the fundamental concepts in dataprotection law and also introduces processing principles similar to those found in the EU, suchas that of lawful processing, legitimacy, and necessity when collecting and using personalinformation and the obligation to keep collected information strictly confidential (see alsoGreenleaf 2017a, p. 2; Maisog and Li 2017; Xia 2017). The Cyber Security Law is furtherclarified in the Personal Information Security Specification, which entered into force on 1May 2018 (Sacks 2018b). Although the Cybersecurity Law and the Personal InformationSecurity Specification certainly raise the level of protection of personal data (Sacks 2018a;Sacks 2018b), the exact interpretation of their concepts is still debated (Sacks et al. 2017;Sacks 2018b, sect. 2). Moreover, the scheme still does not provide for a right of access for datasubjects, data quality requirements, or a specific regime for sensitive data. Furthermore, itsexact scope of application—especially in the public sector—remains unclear (Greenleaf2017a, pp. 2–3).

The Chinese government has also acknowledged the importance and potential of researchon the basis of genetic material and biobanks, and has enforced legislation in order to protectrelated personal data. Although this legislation is criticized for its possible narrow scope andfor the fact that it is argued to be mainly focused on stimulating scientific competitiveness, italso seems to have importance for the protection of personal data, especially seen in connec-tion with the Guidelines of the Shanghai Biobank Network (Chen et al. 2015).

It is against the background of the aforementioned developments, however, that two expertson Chinese Law—Chao Jing and Tom Zwart—provide a different perspective on the Chinesesituation.21 They reported to us that, in their view, the current legal state of affairs in Chinaregarding data protection already meets the GDPR requirements to a large extent, since dataprotection is being guaranteed by a number of specific laws. In addition, they argue that—although it is true that the right to privacy as laid down in Article 40 of the Constitution is non-justiciable—the personality rights included in the 2009 Tort Liability Law including the rightto data protection, are. Therefore, they do not share what they call Bthe dim view^ expressedby De Hert and Papakonstantinou. Nevertheless, they agree that, with regard to data protectionin China, there is Bconsiderable room for improvement". They point at a bill for a PersonalInformation Protection Law that is currently pending before the Standing Committee of theNational People’s Congress. According to their information, the bill does not only compre-hensively protect the storage and usage of personal data but would also offer individuals theright of access, the right to rectification, and the right to be forgotten to data subjects. The billwould apply to both the public and the private sectors and also introduce a liability scheme.This proposal forms part of the 13th Legislative Plan of the Standing Committee of theNational People’s Congress and on 7 September 2018; the Standing Committee has awardedBClass 1^ status to it, which means that it will be enacted during the current five-year

21 We asked for their expert opinion on one of the initial drafts of this contribution. They sent their report to us on25 September 2018. Chao Jing is a PhD student at Utrecht University and specializes in the influence of nationalsecurity on human rights in among others China. Tom Zwart is a professor in cross-cultural law at UtrechtUniversity.

923Higher Education (2019) 78:911–930

legislative plan, running until 2023.22 This, of course, could all be positive news, but it remainsto be seen whether the new bill would really offer the required extra legal protection, let aloneif it would offer this protection in time.

At this point, it is important to further discuss the setting in which any type of legislation inChina has to be put into effect. Although the development of legislation in the field of dataprotection looks promising, there are also some more critical remarks to be made. First of all,there is no single independent authority in place to supervise compliance with the dataprotection rules. There are many sector-specific authorities related to, for example, governmentdepartments, but it is argued that the scope of their jurisdiction is not clear (Ning and Wu 2018,sect. 1.4; Sacks 2018b; Dong 2018, sect. VII). This results in conflicts about which institutionhas control and who has the power to give a final interpretation (Sacks et al. 2017; Sacks2018b, sect. 2 and conclusion). In line with this, from a GDPR perspective, some criticalremarks can be made with regard to these authorities’ independence, given their often strongties with other government institutions. As an independent supervisory authority is absent, theprotection of individuals is to a large extent dependent upon private enforcement, i.e., on anindividual’s own decision to bring a case to court. In this regard, it is important to note thatChinese courts are often characterized as Bunwelcoming^ and to a large extent subject topolitical instructions (Glenn 2014, p. 351). Moreover, McCuaig-Johnston and Zhang point outthat China is a country where Bthe concept of rights is (…) weakly established and the rule oflaw is hostage to politics", whereas the protection of both is crucial under the GDPR(McCuaig-Johnston and Zhang 2015, p. 29). A similar development is noticed by Greenleaf,who describes a move away from the rule of law under the Xi Jinping administration towardsmore political and party control (Greenleaf 2017b, p. 18). Such developments are also noticedin the academic world, where researchers mention increasing political interference in amongothers the field of research and international cooperation, for example, by increasing difficul-ties to access the internet, camera’s in classrooms, and challenges for scientists and universitystaff for getting the required visa for working in China (D’Hooge et al. 2018, p. 11).Additionally, the decisions of Chinese judges that have been given are often not binding,not enforced in practice, or contain diverging interpretations (Glenn 2014, p. 352; Dong 2017,sect. VIII). Also, the European Parliament mentions the challenges for a proper data protectionsystem that might result from the lack of democratic conditions for the respect of human rights,such as independent courts, legal certainty, and adequate means of enforcement (EuropeanParliament 2016; see also De Hert and Papakonstantinou 2015, p. 25).

Secondly, the role of the individual in relation to the collective in China differs from themore autonomous role of the individual as it is perceived in European society (Glenn 2014, pp.336–337). This might have consequences for the application of the exemptions from theprotection of personal data in China: the processing of personal data is still allowed for reasonsof national security, the public interest, or judicial procedures (Li and Wang 2018). Althoughsuch exceptions also exist in European law, the European legislation explicitly requires abalancing act and offers protection to the position of the individual via the role of the judge.Furthermore, given the Chinese legal system’s focus on the collective, it seems likely that thecollective interest in such a balancing act will often prevail over the individual interest ofprotection of personal data. Similar concerns are also expressed by European Commissioner

22 For the latest updates, see https://zh.wikisource.org/wiki/User:NPCObserver/13thNPCSCLegislativePlan(accessed on 25 February 2019).

924 Higher Education (2019) 78:911–930

Violeta Bulc in a 2016 debate in the European Parliament on the transfer of personal data toChina (European Parliament debate 7 July 2016).

Finally, we see a worrying development in the increase of governmental control over wholeparts of society, especially seen in light of the fact that the current data protection rules areunclear with regard to their applicability to the government (De Hert and Papakonstantinou2015, p. 15; Greenleaf 2017a, p. 3; Greenleaf 2017b, p. 21). Data—and especially personaldata—play an important role in the development of the Social Credit System (Chen andCheung 2017; Economist 2017), and also on the internet, government is strengthening its gripon personal information (Sacks and Triolo 2017). Similar developments are taking place in theacademic sector and thereby create questions on the protection position of personal data, forexample, when they are stored in state sanctioned data centers (Normille 2018; Sharma 2018).These concerns are stressed by a 2018 report of the Leiden Asia Centre, quoting a researcherdescribing that B[i]n China, researchers say they can use the data and promise to protect thedata and make sure nothing bad happens with it. But Chinese researchers cannot guarantee thatthese data might be used by Chinese politicians or civil servants later on^ (D’Hooge et al.2018, p. 22).

Future directions for transporting personal data over the New Silk Road

Besides the fact that the protection of personal data is a fundamental principle in the EuropeanUnion, which in our view therefore merits strong protection in its own right, the strictsanctioning regime as set out by Art. 83 GDPR might form a stimulus for complying withthe GDPR’s provisions. Depending on the circumstances of the case, a breach of the GDPRmight result in fines up to 20 million euros. Relevant circumstances in this regard are, forexample, the nature, gravity, and duration of the infringement, the behavior of the controller,and whether the infringement was intentional. Furthermore, Art. 82 GDPR introduces a rightto compensation for both the material and the immaterial damage which is the result of abreach of the GDPR. Therefore, the research institution—that is in most cases in charge ofdetermining the purposes and means of data processing and hence responsible for theprocessing (see also footnote 11 for more on this topic)—can be held directly liable in caseit transfers personal data to a country where these data are insufficiently protected and therebyacts in breach of the GDPR. Compliance with the GDPR, also in the context of collaborativeresearch, is thus important. In order to give researchers directions for navigating the New SilkRoad with research data, in this section, we assess the Chinese approach towards the protectionof personal data from the GDPR’s perspective.

However, before analyzing the implications of the GDPR’s regime on the transfer ofpersonal data for a transfer of personal data to China, it is important to mention that—likeDe Hert and Papakonstantinou also described in their 2015 report—a system of data protectioncannot and should not be broken down to its constitutional parts. Such an approach cannot beused to find common grounds, as one component does not function without the others (DeHert and Papakonstantinou 2015, pp. 13–14). Although the Chinese regime for the protectionof personal data as described above is certainly strengthening and becoming more coherent,especially on the internet, such a principle-based system is not in place for the protection ofpersonal data in other spheres. Moreover, a data protection authority does not exist, therebyleaving it up to the individual to enforce his or her data protection rights, which might be verycomplicated given the individual’s relatively weak position before Chinese courts. The GDPR

925Higher Education (2019) 78:911–930

offers possibilities to compensate for these deficiencies—for example, with legally bindingand enforceable instruments between public authorities or bodies, or codes of conduct—butthen it is very important to ensure that these instruments can stand the test of the GDPR. In theChinese context, as described above, where government surveillance rises at the expense ofindividual privacy and where the power of state authorities is not or only minimallycircumscribed by the rule of law, we are not sure to what extent the current discrepanciesbetween the legal systems of the European Union and China can easily be bridged. After all,the seemingly unlimited authority of the American security services to access personaldata also was the reason for stopping the exchange of personal data after the Schremscase that was also discussed in the BEnsuring a sufficient level of protection^ section.

Although we pay heed to the fact that De Hert and Papakonstantinou (2015, p. 28) propagate apragmatic approach when it comes to sharing personal data with China, we also think it isimportant to stress that their report seems to be mainly focused on the commercial and economicinterests that are served with data sharing. It is true that with regard to such data, a flexibleapproach might be possible as they are mostly processed via networks and therefore were alreadycovered by legislation such as the aforementioned 2012 decision of the Standing Committee ofthe National People’s Congress on Strengthening Internet Information Protection (see also thesection BA brief comparative glance at the Chinese regime for data protection^) and currently alsoby the Cyber Security Law. Research data, however, are not necessarily covered by this legalframework, which seems to be essentially aimed at stimulating public trust and promoting sales,and not so much at providing an individual control over his or her personal information (De Hertand Papakonstantinou 2015, p. 28). Although further arrangements might indeed be able tocompensate for this lack of rights and would therefore allow a more pragmatic approach as far asprocessing of personal data is covered by this legislative framework, it is important to make surethat such arrangements are immune to unwarranted government interference. In the currentsituation, it seems challenging at minimum to meet this requirement. For data that do not fallunder the current comprehensive Chinese legislation or special categories of personal data, evenmore carefulness is deemed to be necessary.

Until clear and more coordinated arrangements—similar to, for example, the EU-USPrivacy Shield—have been set up, a safer but also more complicated and fragile optionseems to be offered by Art. 49(1) GDPR. Under this provision, a transfer of personal datais also possible in case the data subject has explicitly consented to the proposed transfer,after having been informed of the possible risks of such transfers for the data subject due tothe absence of an adequate decision and appropriate safeguards. Here again, it is importantthat consent must be given freely (in this regard, see also the section BEnsuring a sufficientlevel of protection^). Sufficient safeguards therefore need to be provided in order to makesure that a data subject not only consents to the data transfer because it offers him or heraccess to, for example, experimental treatment. Additionally, arrangements should bemade in order to be sure that in such cases, the recognized ethical standards for scientificresearch that a research object can expect in the European Union are also upheld in China(see for more on this topic, for example, Warrell et al. 2009; Zeng and Resnik 2010; Liuet al. 2015). Finally, there might be cases in which a research institution has compellinginterests that necessitate the non-repetitive transfer of the personal data of a limitednumber of data subjects. Such a transfer is allowed under Art. 49(1) last section GDPRin case it is surrounded with suitable safeguards and the supervisory authority is informed.Given the aforementioned position of research as seemingly subordinate to broadersocietal goals and as an instrument in government policy strategies (D’Hooge et al.

926 Higher Education (2019) 78:911–930

2018, pp. 11, 25), we deem it hard to provide for such suitable safeguards without havingboth broader and stronger legal protection in place.

Conclusion

In the European Union, the GDPR regulates the processing of personal data. This legalinstrument is applicable to virtually any use of information that can either directly or indirectlybe traced back to an individual, and therefore also to information relating to living individualsthat is being processed for research purposes. As a form of processing, the transfer of personaldata to China in the context of a scientific research has to take place in accordance with theprocessing principles of the GDPR, meaning that they should be processed in a lawful, fair,and transparent way. Scientific research often concerns sensitive data, such as information ongenetics, biometrics, ethnicity, or health. These special categories of personal data may inprinciple not be processed, unless one of the exceptions mentioned in the GDPR is applicable.Moreover, all personal data should be processed in line with the recognized ethical standardsfor scientific research, also if they are transferred to a third country. Depending on the policy ofthe institution to which personal data are being transferred, this might thus necessitate furtherarrangements in order to make sure that these standards are upheld. Furthermore, the process-ing may not entail more data than those necessary for the purpose for which they have beencollected. On top of that, they should be accurate and not stored for longer than necessary forthe scientific purposes that they had been collected for. Lastly, the security of the system usedto process the personal data has to be safeguarded.

When the aforementioned conditions have been met, it is to be determined whether thelevel of protection that is offered by the European Union is not undermined with the transfer ofthe personal data to China. In determining whether this is the case, not only the specific dataprotection rules in China should be taken into account but also the system of which these rulesform a part. Although we see an increasingly coherent regime in China for the protection ofpersonal data, especially on the internet on the basis of the Cyber Security Law and its furtherimplementation, we have also identified challenges and worrying developments. These includeamong others a turn away from the rule of law, relatively weak protection of fundamentalrights, absence of an independent data protection authority, and an increase of state surveil-lance. At the same time, we see that academic collaboration with China offers uniqueopportunities. Also in this field, however, it is important to note that research in China seemsto serve broader society and government goals which may lead to individual interests being putaside in order to serve the general interest. From the European perspective on the protection ofpersonal data, such developments are problematic. As long as this can be compensated for bysetting up arrangements between the different parties involved, in a way that is immune tounwarranted state interference, a transfer is still possible. However, we question whether sucharrangements are realistic in the given situation and we therefore argue that a more compre-hensive instrument, for example, similar to the EU-US Privacy Shield, should be set up inorder to further facilitate the often indispensable exchange of information and thereby allowscience to come to its full potential. In our view, before such rules are established, a great dealof water will have to flow under the newly created New Silk Road bridge. Until then, from theperspective of protecting personal data, the safer way to go is to anonymize personal data thatare being transferred to China or to acquire explicit consent of the data subject, after havinginformed him or her of the risks relating to such a transfer.

927Higher Education (2019) 78:911–930

Acknowledgments The authors would like to thank Stefan Kulk, Mistale Taylor, Chao Jing, Qiao Cong-rui,Tom Zwart, and Charlotte Mol for their useful comments on earlier versions of this contribution.

Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 InternationalLicense (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and repro-duction in any medium, provided you give appropriate credit to the original author(s) and the source, provide alink to the Creative Commons license, and indicate if changes were made.

References

Article 29 Data Protection Working Party (2007), The concept of personal data (opinion 4/2007). Resourcedocument: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf. Accessed 25 Feb 2019.

Article 29 Data Protection Working Party (2010), The concepts of Bcontroller^ and Bprocessor^ (opinion1/2010). Resource document: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf. Accessed 25 Feb 2019.

Article 29 Data Protection Working Party (2014), Anonymisation techniques (opinion 05/2014). Resourcedocument: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp216_en.pdf. Accessed 25 Feb 2019.

Barnard, C., & Peers, S. (2014). European Union law. Oxford: Oxford University Press.Buttarelli, G. (2016), The impact of GDPR on collaborative science (speech by Giovanni Buttarelli, EDPS, in

seminar organised by ISC Intelligence in Science, Brussels). Resource document: https://edps.europa.eu/press-publications/press-news/videos/impact-gdpr-collaborative-science_en. Accessed 25 Feb 2019.

Chen, H., Chan, B., and Joly, Y. (2015), Privacy and biobanking in China: a case of policy in transition, Journalof Law, Medicine and Ethics 4(43), 726–742.

Chen, Y., & Cheung, A. (2017). The transparent self under big data profiling: privacy and Chinese legislation onthe social credit system. Journal of Comparative Law, 12(2), 356–378.

Deeks, R. (2018), The digital silk road – China’s $200 billion project (science focus). Resource document:https://www.sciencefocus.com/future-technology/the-digital-silk-road-chinas-200-billion-project/. Accessed25 Feb 2019.

D’Hooge, I., Montulet, A., Wolff, M. de, and Pieke, F.N. (2018), Assessing Europe-China collaboration in highereducation and research (Leiden Asia Centre), Resource document: http://leidenasiacentre.en/wp-content/uploads/2018/11/LeidenAsiaCentre-Report-Assessing-Europe-China-Collaboration-in-Higher-Education-and-Research.pdf. Accessed 25 Feb 2019.

DG Internal Policies (2016), Data saves lives: the impact of the data protection regulation on personal data use incancer research – study for the ENVI Committee. Resource document: http://www.europarl.europa.eu/RegData/etudes/STUD/2016/569992/IPOL_STU(2016)569992_EN.pdf/. Accessed 25 Feb 2019.

Dong, M. (2017), China In: A.C. Raul (Ed.), Privacy, data protection and cybersecurity law review. London: LawBusiness Research.

Economist (2017). China invents the digital totalitarian state. Resource document: https://www.economist.com/briefing/2016/12/17/china-invents-the-digital-totalitarian-state. Accessed 25 Feb 2019.

Economist (2018), China talks of building a Bdigital silk road^. Resource document: https://www.economist.com/china/2018/05/31/china-talks-of-building-a-digital-silk-road. Accessed 25 Feb 2019.

Economist (2019a). How China could dominate science. Resource document: https://www.economist.com/leaders/2019/01/12/how-china-could-dominate-science. Accessed 25 Feb 2019.

Economist (2019b). Can China become a scientific superpower?. Resource document: https://www.economist.com/science-and-technology/2019/01/12/can-china-become-a-scientific-superpower. Accessed 25 Feb 2019.

ECtHR (2018), Guide on Article 8 of the European Convention on Human Rights. Resource document:https://www.echr.coe.int/Documents/Guide_Art_8_ENG.pdf. Accessed 25 Feb 2019.

EU Delegation to China and Mongolia (2014. Research, innovation and science: cooperation between EUMember States, associated countries, the European Union and China. A testimony of excellence. Resourcedocument: http://eeas.europa.eu/archives/delegations/china/documents/eu_china/research_innovation/6_eumembers_states/140714_eu_ms_and_china_cooperation_brochure_final.pdf. Accessed 25 Feb 2019.

European Commission (2010). Communication from the commission to the European Parliament, the council,the economic and social committee and the committee of the regions: a comprehensive approach on personaldata protection in the European Union (COM(2010) 609 final). Resource document: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52010DC0609&from=EN. Accessed 25 Feb 2019.

928 Higher Education (2019) 78:911–930

European Commission (2017), Communication from the commission to the European Parliament and thecouncil: exchanging and protecting personal data in a globalised world (COM(2017) 7 final). Resourcedocument: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52017DC0007&from=EN.Accessed 25 Feb 2019.

European Parliament (2016), Personal data transfers to China. Resource document: http://www.europarl.europa.eu/RegData/etudes/ATAG/2016/583836/EPRS_ATA(2016)583836_EN.pdf. Accessed 25 Feb 2019.

European Parliament debate (2016), Personal data transfers to China. Resource document: http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+CRE+20160707+ITEM-014+DOC+XML+V0//EN&language=EN. Accessed 25 Feb 2019.

FRA, ECtHR, CoE, EDPS. (2018). Handbook on European data protection law. Luxembourg: PublicationsOffice of the European Union.

Glenn, P. (2014), Legal traditions of the world. Oxford: Oxford University Press 2014.Greenleaf, G. (2014). Asian data privacy laws: trade & human rights perspectives. Oxford: Oxford University

Press.Greenleaf, G. (2017a). China’s new cybersecurity law – also a data privacy law? Privacy Laws & Business

International Report, 144, 1–7.Greenleaf, G. (2017b). 2014-2017 update to GrahamGreenleaf’s Asia data privacy laws – trade and human rights

perspectives. UNSW Law Research Paper, 47.De Hert, P. and Papankonstantinou, V. (2015), The data protection regime in China – in depth analysis for the

LIBE Committee. Resource document: http://www.europarl.europa.eu/RegData/etudes/IDAN/2015/536472/IPOL_IDA%282015%29536472_EN.pdf. Accessed 25 Feb 2019.

Hille, C., (22 October 2018), Chinese military researchers exploit western universities (Financial Times),Resource document: https://www.ft.com/content/ebe95b76-d8cc-11e8-a854-33d6f82e62f8. Accessed 25Feb 2019.

Kirby, W. & Van der Wende, M.(2019), The New Silk Road: implications for higher education in China and thewest? Cambridge Journal of Regions, Economy and Society 12(1). Resource document: https://doi.org/10.1093/cjres/rsy034 .

Kokott, J., & Sobotta, C. (2013). The distinction between privacy and data protection in the jurisprudence of theCJEU and the ECtHR. International Data Privacy Law, 4(3), 222–228.

Li, B. and Wang, J. (2018). China issues personal information security specification. Resource document:https://www.dataprotectionreport.com/2018/02/china-issues-personal-information-security-specification/.Accessed 25 Feb 2019.

Liu, C., Campbell, N., Gerstner, E., Lin, A, Li, P., Pincock, S., Gibbons, C., Zhou, Y., Gilloch, C., Huang, K. andPhillips, N. (2015), Turning point. Chinese science in transition (nature publishing group). Resourcedocument: https://www.nature.com/press_releases/turning_point.pdf. Accessed 25 Feb 2019.

Livingston, S., & Greenleaf, G. (2015). The emergence of tort liability for online privacy violations in China.Privacy Laws & Business International Report, 135, 22–24.

Maisog, M. and Li, J. (2017), China In: A. Bapat and A. P. Simpson (eds.), Data protection, London: GlobalLegal Group.

McCuaig-Johnston, M. and Zhang, M. (2015), China embarks on major changes in science and technology.China Institute University of Alberty Occasional Paper Series 2(2). Resource document: https://cloudfront.ualberta.ca/-/media/china/media-gallery/research/occasional-papers/stmccuaigjohnston-zhang201506.pdf.Accessed 25 Feb 2019.

Narayanan, A. and Shmatikov, V. (2008), Robust de-anonymization of large sparse datasets (2008 IEEESymposium on Security and Privacy, Oakland).

Nicholson, C. (2018), Data-law mess hampers R&D collaborations (research research). Resource document:https://www.leru.org/files/News/RE-data-law-mess-hampers-rd-collaborations.pdf. Accessed 25 Feb 2019.

Ning, S., & Wu, H. (2018). China. In T. Hickman & D. Gabel (Eds.), Data protection 2018. London: ICLG.OECD (2019a). Gross domestic spending on R&D (China, EU and USA statistics on 28-1-2019). Resource

document https://data.oecd.org/chart/5snO. Accessed 25 Feb 2019.OECD (2019b), R&D intensity in OECD countries and other economies (China, EU and USA statistics on 28-1-

2019). Resource document: https://public.tableau.com/shared/H2M9MQYPC?:display_count=no. Accessed25 Feb 2019.

Normille, D. (2018), China asserts firm grip on research data (ScienceMag). Resource document http://www.sciencemag.org/news/2018/04/china-asserts-firm-grip-research-data. Accessed 25 Feb 2019.

Robinson, N., Graux, H., Botterman, M., & Valeri, L. (2009). Review of the European data protection directive.Santa Monica: RAND Corporation, 2009 https://www.rand.org/pubs/technical_reports/TR710.html.Accessed 25 Feb 2019.

929Higher Education (2019) 78:911–930

Sacks, S. (2018a), New China data privacy standard looks more far-reaching than GDPR (Center for Strategicand International Studies). Resource document: https://www.csis.org/analysis/new-china-data-privacy-standard-looks-more-far-reaching-gdpr. Accessed 25 Feb 2019.

Sacks, S. (2018b), China’s emerging data privacy system and GDPR (Center for Strategic and InternationalStudies). Resource document: https://www.csis.org/analysis/chinas-emerging-data-privacy-system-and-gdpr.Accessed 25 Feb 2019.

Sacks, S., Triolo, P., Webster, G. (2017), Beyond the worst-case assumptions on China’s cybersecurity law (newAmerica). Resource document: https://www.newamerica.org/cybersecurity-initiative/blog/beyond-worst-case-assumptions-chinas-cybersecurity-law/. Accessed 25 Feb 2019.

Sacks, S. and Triolo, P., (2017), Shrinking anonymity in Chinese cyberspace (Center for Strategic andInternational Studies). Resource document: https://www.csis.org/analysis/shrinking-anonymity-chinese-cyberspace. Accessed 25 Feb 2019.

Science Europe (2016), Implications of the GDPR on science and research (presentation by Marie Timmermann).Resource document: http://iscintelligence.com/archivos_subidos/se_implications_of_dpr_on_science.pdf.Accessed 25 Feb 2019.

Sharma, Y. (2018), New data red tape could hamper international research (University World News) Resourcedocument: http://www.universityworldnews.com/article.php?story=20180720072113906. Accessed 25Feb 2019.

Voigt, P., & Von dem Bussche, A. (2017). The EU General Data Protection Regulation (GDPR). Berlin/Heidelberg: Springer.

Warrell, D. et al (2009), China – UK research ethics (CURE) committee report. Resource document: https://mrc.ukri.org/publications/browse/china-uk-research-ethics-cure-committee-report. Accessed 25 Feb 2019.

Van der Wende, M. and Tijssen, R. (2019), China’s belt and road initiative finds new research partners in Europe(nature index). Resource document: https://www.natureindex.com/news-blog/chinas-belt-and-road-initiative-finds-new-research-partners-in-europe. Accessed 25 Feb 2019.

Xia, S. (2017), China cybersecurity and data protection laws: change is coming (China Law Blog). Resourcedocument: https://www.chinalawblog.com/2017/05/china-cybersecurity-and-data-protection-laws-change-is-coming.html. Accessed 25 Feb 2019.

Zeng, W., & Resnik, D. (2010). Research integrity in China: problems and prospects. Bioethics, 10(3), 164–171.

Publisher’s note Springer Nature remains neutral with regard to jurisdictional claims in published maps andinstitutional affiliations.

930 Higher Education (2019) 78:911–930